Zero Day MonitorZDM
DashboardVulnerabilitiesTrendingZero-DaysNewsAbout
Login
ImpressumPrivacy Policy
Zero Day Monitor © 2026
3093 articles · 172038 vulns · 37/41 feeds (7d)
← Back to list
7.5
CVE-2026-27660EXPLOITEDPATCHED
gitea · gitea

Gitea draft releases use insufficient permission checks

Description

Gitea versions before 1.25.5 allow draft release data or attachments to be accessed without the required write permission.

Affected Products

VendorProductVersions
giteagitea0

Also Affects

Downstream vendors/products affected by this vulnerability

VendorProductSourceConfidence
open sourcegiteacert_advisory90%

References

  • https://github.com/go-gitea/gitea/pull/36659(patch)
  • https://github.com/go-gitea/gitea/pull/36715(patch)
  • https://github.com/go-gitea/gitea/releases/tag/v1.25.5(release-notes)
  • https://blog.gitea.com/release-of-1.25.5/(release-notes)

Related News (2 articles)

Tier B
BSI Advisories1d ago
[UPDATE] [mittel] Gitea: Mehrere Schwachstellen
→ No new info (linked only)
Tier C
VulDB3d ago
CVE-2026-27660 | Gitea up to 1.25.4 Attachments access control
→ No new info (linked only)
CVSS 3.17.5 HIGH
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CISA KEV❌ No
Actively exploited✅ Yes
Patch available
1.25.5
CWECWE-284
PublishedJul 3, 2026
Last enriched3d agov2
Trending Score55
Source articles2
Independent2
Info Completeness8/14
Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

0
Login to vote
0 upvotes0 downvotes
No votes yet

Related CVEs (5)

CRITICALCVE-2026-20896EXP
Gitea Docker image trusts spoofable reverse-proxy headers by default
Trending: 90
CRITICALCVE-2026-26247EXP
Gitea OAuth2 PKCE S256 challenges are not enforced during token exchange
Trending: 62
CRITICALCVE-2026-26292EXP
Gitea LFS mirror synchronization bypasses migration HTTP transport restrictions
Trending: 62
CRITICALCVE-2026-26232EXP
Gitea OAuth2 authorization codes lack expiry and reuse enforcement
Trending: 62
CRITICALCVE-2026-22547
Gitea repository creation accepts invalid field values
Trending: 48

Pin to Dashboard

Verification

State: unverified
Confidence: 0%

Vulnerability Timeline

CVE Published
Jul 3, 2026
Discovered by ZDM
Jul 3, 2026
Updated: description, severity, activelyExploited
Jul 4, 2026
Actively Exploited
Jul 7, 2026
Patch Available
Jul 7, 2026

Version History

v2
Last enriched 3d ago
v2Tier C3d ago

Updated severity to CRITICAL, changed exploit availability to false, and added a detailed description of the vulnerability.

descriptionseverityactivelyExploited
via VulDB
v14d ago

Initial creation